Enable Pimox worker pipeline by default

bootstrap/provisioning/README.md

@@ -85,8 +85,8 @@ Run the cluster layer from the Debian homelab server after the cloned VM is reac
 
 ## Pimox Automation
 
-`./lab.sh up` sets `TF_VAR_pimox_template_builder_enabled=true` by default when
-Pimox is reachable. The layer SSHes into the
+`./lab.sh up` runs Pimox provisioning by default and sets
+`TF_VAR_pimox_template_builder_enabled=true` when Pimox is reachable. The layer SSHes into the
 Pimox host, create the template-build VM with `qm`, boot it from PXE, wait for
 the installed VM over SSH, run `/usr/local/sbin/homelab-prepare-template.sh`,
 power it off, switch boot order back to disk first, and run `qm template`.
@@ -97,7 +97,7 @@ template-build VM. If you still want to force a known address, set
 `TF_VAR_pimox_template_build_host`.
 
 ```bash
-LAB_PIMOX_PIPELINE=true ./lab.sh up
+./lab.sh up
 ```
 
 Defaults match the observed Pimox template VM shape: OVMF firmware, virtio
@@ -107,8 +107,8 @@ networking, virtio-scsi disk, `vmbr0`, `local` template storage, 1 socket with
 `TF_VAR_pimox_template_memory` if the Orange Pi template layout changes.
 
 `./lab.sh up` also creates or reuses worker clones after the template exists. It
-defaults to two workers, VMIDs `9010` and `9011`, names like
-`pimox-worker-01`, deterministic locally administered MAC addresses, 1 socket
+defaults to one worker, VMID `9010`, name `pimox-worker-01`, deterministic
+locally administered MAC address, 1 socket
 with 2 cores, 4 GiB RAM, `nvme_thin_pool` clone storage, and qemu-guest-agent IP
 discovery. New workers are full clones created with
 `qm clone --storage`, so the template can remain on `local` while worker disks

lab.sh

@@ -664,7 +664,7 @@ prepare_cluster_worker_var_file() {
 }
 
 run_pimox_pipeline() {
-    local mode="${LAB_PIMOX_PIPELINE:-false}"
+    local mode="${LAB_PIMOX_PIPELINE:-true}"
     local pimox_host="${LAB_PIMOX_HOST:-${TF_VAR_pimox_host:-192.168.100.80}}"
     local pimox_user="${LAB_PIMOX_USER:-${TF_VAR_pimox_user:-jv}}"
     local pimox_key="${LAB_PIMOX_SSH_KEY_PATH:-${TF_VAR_pimox_ssh_key_path:-/home/jv/.ssh/id_ed25519}}"
@@ -674,10 +674,9 @@ run_pimox_pipeline() {
     local template_name="${LAB_PIMOX_TEMPLATE_NAME:-${TF_VAR_pimox_template_name:-debian13-arm64-k8s-template}}"
     local template_cores="${LAB_PIMOX_TEMPLATE_CORES:-${TF_VAR_pimox_template_cores:-2}}"
     local template_memory="${LAB_PIMOX_TEMPLATE_MEMORY:-${TF_VAR_pimox_template_memory:-4096}}"
-    local template_cpu_affinity="${LAB_PIMOX_TEMPLATE_CPU_AFFINITY:-${TF_VAR_pimox_template_cpu_affinity:-}}"
     local template_replace_existing="${LAB_PIMOX_TEMPLATE_REPLACE_EXISTING:-${TF_VAR_pimox_template_replace_existing:-false}}"
     local provisioning_interface
-    local worker_count="${LAB_PIMOX_WORKER_COUNT:-2}"
+    local worker_count="${LAB_PIMOX_WORKER_COUNT:-1}"
     local worker_base_vmid="${LAB_PIMOX_WORKER_BASE_VMID:-9010}"
     local worker_name_prefix="${LAB_PIMOX_WORKER_NAME_PREFIX:-pimox-worker}"
     local worker_node_prefix="${LAB_PIMOX_WORKER_NODE_PREFIX:-pimox-worker}"
@@ -697,7 +696,6 @@ run_pimox_pipeline() {
     local index
     local readiness_output
     local readiness_status
-    local template_cpu_count
     local worker_cpu_affinity
 
     if disabled_value "${mode}"; then
@@ -724,16 +722,6 @@ run_pimox_pipeline() {
         echo "Pimox template and worker CPU and memory values must be greater than zero." >&2
         exit 1
     fi
-    if [[ -n "${template_cpu_affinity}" ]]; then
-        if ! template_cpu_count="$(cpuset_cpu_count "${template_cpu_affinity}")"; then
-            echo "Invalid Pimox template CPU affinity '${template_cpu_affinity}'. Use CPU IDs or ranges, such as 4-5." >&2
-            exit 1
-        fi
-        if ((template_cpu_count != template_cores)); then
-            echo "Pimox template uses ${template_cores} cores but affinity '${template_cpu_affinity}' contains ${template_cpu_count} CPUs." >&2
-            exit 1
-        fi
-    fi
     if ! truthy "${worker_replace_existing}" && ! disabled_value "${worker_replace_existing}"; then
         echo "LAB_PIMOX_WORKER_REPLACE_EXISTING must be true or false." >&2
         exit 1
@@ -789,7 +777,6 @@ fi" 2>&1)"
     export TF_VAR_pimox_template_name="${template_name}"
     export TF_VAR_pimox_template_cores="${template_cores}"
     export TF_VAR_pimox_template_memory="${template_memory}"
-    export TF_VAR_pimox_template_cpu_affinity="${template_cpu_affinity}"
     export TF_VAR_pimox_template_replace_existing="${template_replace_existing}"
     export TF_VAR_pimox_template_builder_enabled="${TF_VAR_pimox_template_builder_enabled:-true}"
     export TF_VAR_pimox_template_build_ssh_key_path="${TF_VAR_pimox_template_build_ssh_key_path:-${worker_key_path}}"
@@ -2554,7 +2541,11 @@ up() {
 
     deploy_gitea
     bootstrap_gitea_repo
-    prepare_cluster_worker_var_file true
+    run_pimox_pipeline
+    run_openwrt_pipeline
+    if [[ -z "${LAB_CLUSTER_VAR_FILE:-}" ]]; then
+        prepare_cluster_worker_var_file true
+    fi
     run_tofu_stack "bootstrap/cluster"
     run_tofu_stack "bootstrap/platform"
     apps
@@ -2571,7 +2562,11 @@ rebuild_cluster() {
     echo "Rebuilding the Kubernetes cluster without touching external Raspberry Pi Gitea..."
 
     nuke
-    prepare_cluster_worker_var_file true
+    run_pimox_pipeline
+    run_openwrt_pipeline
+    if [[ -z "${LAB_CLUSTER_VAR_FILE:-}" ]]; then
+        prepare_cluster_worker_var_file true
+    fi
     run_tofu_stack "bootstrap/cluster"
     run_tofu_stack "bootstrap/platform"
     apps